The branch, master has been updated
via 811e2f55290 GPO: Add rsop output for Messages policy
via 2ef88466f49 GPO: Test rsop output for Messages policy
via 1544929feec gpo: Apply Group Policy Login Prompt Message
via b76d55cc908 gpo: Test Group Policy Login Prompt Message
via a4f598fde8c gpo: Apply Group Policy Message of the day
via e8757e0d36c gpo: Test Group Policy Message of the day
via fee00231f69 GPO: Add rsop output for smb.conf policy
via 101b5f17f12 GPO: Test rsop output for smb.conf policy
via 3303869c4b8 gpo: Add CSE for applying smb.conf
via 37661d1aaca gpo: Test Group Policy smb.conf Extension
via cb994befb0c gpo: Add admx files for smb.conf parameters
via ab347c861ce gpo: gp_krb_ext always uses set_kdc_tdb to update
via 5128dc7db32 gpo: Move gp_sec_ext conversion functions to top
via 7d6d160a8ed gpo: Display Security Extension RSOP on ADDC only
via c887f7a7d23 gpo: Fix unapply failure when multiple extensions run
via 7e507dd8865 gpo: Test multiple extention unapply
via 8626910c0ea gpo: Sudoers ext should not crash if policy missing
via 87fe86270e1 gpo: Script ext should not crash if script missing
via 7c6969e9c9c gpo: Cleanup sudoers policy test
via 7acbb440400 gpo: Cleanup script policy test
via 0544237ea2c gpo: Avoid using distutils since it will be deprecated
via 0a7e2e39847 gpo: Clarify the contents of deleted_gpo_list in
process_group_policy
via bc38d3afe38 gpo: Add rsop output for Sudoers policy
via 4148af125be gpo: Test rsop output for Sudoers policy
via 5249727f902 Add WHATSNEW section on Client Group Policy
from f8b7ee024ba s3: libsmb: Remove one more ugly sockaddr cast in
resolve_name_list() by converting to samba_sockaddr.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 811e2f55290dc1af2439954f690b8b3c3749b607
Author: David Mulder <dmul...@suse.com>
Date: Wed Aug 19 11:27:26 2020 -0600
GPO: Add rsop output for Messages policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Autobuild-User(master): David Mulder <dmul...@samba.org>
Autobuild-Date(master): Thu Aug 27 17:19:48 UTC 2020 on sn-devel-184
commit 2ef88466f49d9c50f37b6e68e08fcda136050ec1
Author: David Mulder <dmul...@suse.com>
Date: Wed Aug 19 11:25:57 2020 -0600
GPO: Test rsop output for Messages policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 1544929feecd4062b5f684226717a639a74cdd52
Author: David Mulder <dmul...@suse.com>
Date: Wed Jul 8 15:30:25 2020 -0600
gpo: Apply Group Policy Login Prompt Message
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit b76d55cc9087c6f75b25cc42d862a26b2579d3e0
Author: David Mulder <dmul...@suse.com>
Date: Thu Jul 9 09:53:34 2020 -0600
gpo: Test Group Policy Login Prompt Message
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit a4f598fde8cfa564613108397b0a645277cf0ace
Author: David Mulder <dmul...@suse.com>
Date: Wed Jul 8 15:29:42 2020 -0600
gpo: Apply Group Policy Message of the day
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit e8757e0d36c56d18c8597832dddfd0a7214772f5
Author: David Mulder <dmul...@suse.com>
Date: Thu Jul 9 08:39:41 2020 -0600
gpo: Test Group Policy Message of the day
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit fee00231f6971014ec1c00e5104148e52acf31f3
Author: David Mulder <dmul...@suse.com>
Date: Wed Aug 19 14:23:37 2020 -0600
GPO: Add rsop output for smb.conf policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 101b5f17f129cbbc2689de2dcc8d6e6cb164e270
Author: David Mulder <dmul...@suse.com>
Date: Wed Aug 19 13:02:48 2020 -0600
GPO: Test rsop output for smb.conf policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 3303869c4b8659904e490e4ca1bc8bbcd340138d
Author: David Mulder <dmul...@suse.com>
Date: Wed Jul 18 11:34:09 2018 -0600
gpo: Add CSE for applying smb.conf
Add an extension that applies smb.conf params
applied via the smb.conf admx files.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 37661d1aacaa7b761134c3f21a241ee0c1539d21
Author: David Mulder <dmul...@suse.com>
Date: Wed Jul 25 15:24:35 2018 -0600
gpo: Test Group Policy smb.conf Extension
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit cb994befb0c89c8a1182919348540d94c60543ee
Author: David Mulder <dmul...@suse.com>
Date: Tue Jul 17 13:15:38 2018 -0600
gpo: Add admx files for smb.conf parameters
Administrative Template (admx) files are
installed to the sysvol central store, and
apply Group Policy settings to the sysvol, via
the Group Policy Management Console (gpmc).
These admx files add smb.conf settings to the
gpmc.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit ab347c861ce670d29773599c9d2572a42db0bdcb
Author: David Mulder <dmul...@suse.com>
Date: Fri Aug 7 14:15:30 2020 -0600
gpo: gp_krb_ext always uses set_kdc_tdb to update
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 5128dc7db324c08d036475e46f8edcc99565fed3
Author: David Mulder <dmul...@suse.com>
Date: Fri Aug 7 14:09:27 2020 -0600
gpo: Move gp_sec_ext conversion functions to top
These functions don't actually use self, so can
be moved to top level functions.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 7d6d160a8ed74ae44e3bbb01818fcf54d18e1fa6
Author: David Mulder <dmul...@suse.com>
Date: Fri Aug 7 11:09:17 2020 -0600
gpo: Display Security Extension RSOP on ADDC only
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit c887f7a7d2303121a3a59fa7161ddf08053c31da
Author: David Mulder <dmul...@suse.com>
Date: Thu Aug 6 17:25:47 2020 -0600
gpo: Fix unapply failure when multiple extensions run
When multiple Group Policy Extensions are present,
only the last executed extension saves it's
changes to the Group Policy Database, due to the
database being loaded seperately for each
extension.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 7e507dd8865a5108c31782fb8e603fc4dca627d9
Author: David Mulder <dmul...@suse.com>
Date: Thu Aug 6 15:41:13 2020 -0600
gpo: Test multiple extention unapply
Verify that an unapply of multiple extentions
deletes the script files and policy settings.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 8626910c0eaaac57d95d2b2f8583ee0c732d98c6
Author: David Mulder <dmul...@suse.com>
Date: Fri Aug 7 13:44:55 2020 -0600
gpo: Sudoers ext should not crash if policy missing
If a user has manually removed a policy, the
extension should not crash in an unapply removing
it.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 87fe86270e16cc06d4d4d6462705b2c3c93a473c
Author: David Mulder <dmul...@suse.com>
Date: Fri Aug 7 13:39:18 2020 -0600
gpo: Script ext should not crash if script missing
If a user has manually removed a script, the
extension should not crash in an unapply removing
it.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 7c6969e9c9cccc1fdf0a668389bc9b3eaa6d2831
Author: David Mulder <dmul...@suse.com>
Date: Fri Aug 7 13:59:32 2020 -0600
gpo: Cleanup sudoers policy test
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 7acbb4404006fa24ef6c66d324f20a7fbe3bf4b9
Author: David Mulder <dmul...@suse.com>
Date: Fri Aug 7 13:58:34 2020 -0600
gpo: Cleanup script policy test
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 0544237ea2c1cf7d507e60e2757653711be5e308
Author: David Mulder <dmul...@suse.com>
Date: Thu Aug 6 15:18:16 2020 -0600
gpo: Avoid using distutils since it will be deprecated
We shouldn't use distutils.spawn.find-executable
here, since its use is discouraged:
https://docs.python.org/3/library/distutils.html
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 0a7e2e39847e89ed62e4ba8e4094f224bc627dc3
Author: David Mulder <dmul...@suse.com>
Date: Thu Aug 6 13:30:36 2020 -0600
gpo: Clarify the contents of deleted_gpo_list in process_group_policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit bc38d3afe380c0892e6d5b791cbb19624b43d612
Author: David Mulder <dmul...@suse.com>
Date: Thu Aug 6 12:44:41 2020 -0600
gpo: Add rsop output for Sudoers policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 4148af125be5d690682602976f525460e386330e
Author: David Mulder <dmul...@suse.com>
Date: Thu Aug 6 14:53:02 2020 -0600
gpo: Test rsop output for Sudoers policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
commit 5249727f90215ef83fc7233a5e721c752b3b223d
Author: David Mulder <dmul...@suse.com>
Date: Thu Aug 6 12:38:14 2020 -0600
Add WHATSNEW section on Client Group Policy
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 22 +
libgpo/admx/en-US/samba.adml | 4610 ++++++++++++++++++++++++++++++++++
libgpo/admx/samba.admx | 2478 ++++++++++++++++++
python/samba/gp_msgs_ext.py | 83 +
python/samba/gp_scripts_ext.py | 11 +-
python/samba/gp_sec_ext.py | 67 +-
python/samba/gp_smb_conf_ext.py | 102 +
python/samba/gp_sudoers_ext.py | 36 +-
python/samba/gpclass.py | 3 +
python/samba/tests/gpo.py | 290 ++-
source4/scripting/bin/samba-gpupdate | 18 +-
11 files changed, 7662 insertions(+), 58 deletions(-)
create mode 100644 python/samba/gp_msgs_ext.py
create mode 100644 python/samba/gp_smb_conf_ext.py
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 23210d351d8..3927c0645f1 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -17,6 +17,28 @@ NEW FEATURES/CHANGES
====================
+Client Group Policy
+-------------------
+This release extends Samba to support Group Policy functionality for Winbind
+clients. Active Directory Administrators can set policies that apply Sudoers
+configuration, and cron jobs to run hourly, daily, weekly or monthly.
+
+To enable the application of Group Policies on a client, set the global
+smb.conf option 'apply group policies' to 'yes'. Policies are applied on an
+interval of every 90 minutes, plus a random offset between 0 and 30 minutes.
+
+Policies applied by Samba are 'non-tattooing', meaning that changes can be
+reverted by executing the `samba-gpupdate --unapply` command. Policies can be
+re-applied using the `samba-gpupdate --force` command.
+To view what policies have been or will be applied to a system, use the
+`samba-gpupdate --rsop` command.
+
+Administration of Samba policy requires that a Samba ADMX template be uploaded
+to the SYSVOL share. The samba-tool command `samba-tool gpo admxload` is
+provided as a convenient method for adding this policy. Once uploaded, policies
+can be modified in the Group Policy Management Editor under Computer
+Configuration/Policies/Administrative Templates.
+
CTDB CHANGES
============
diff --git a/libgpo/admx/en-US/samba.adml b/libgpo/admx/en-US/samba.adml
index 577cb1aa0bb..965af175e24 100755
--- a/libgpo/admx/en-US/samba.adml
+++ b/libgpo/admx/en-US/samba.adml
@@ -1,3 +1,4 @@
+<?xml version="1.0" ?>
<policyDefinitionResources revision="1.0" schemaVersion="1.0">
<displayName>
</displayName>
@@ -18,6 +19,3114 @@
<string id="POL_D298F3BD_44D9_426D_AF11_3163D31582F6_Help">This policy
setting allows you to execute commands, either local or on remote storage,
monthly.</string>
<string id="POL_3ACC7ECD_8086_4F4A_96DF_85B8FDE2F674_Help">This policy
setting allows you to execute commands, either local or on remote storage,
weekly.</string>
<string id="POL_DB5DF501_6F87_42D4_9FEC_E7F32C498BD3_Help">This policy
configures the sudoers file with the lines specified.</string>
+ <string id="CAT_10827749_64ED_5052_87F7_E81AD421856A">smb.conf</string>
+ <string id="POL_33AAE399_07A8_5CC8_882A_393E4B96B259">additional dns
hostnames</string>
+ <string id="POL_33AAE399_07A8_5CC8_882A_393E4B96B259_Help">A list of
additional DNS names by which this host can be identified
+
+Example: host2.example.com host3.other.com </string>
+ <string id="POL_3CD2A970_826E_518E_B5F0_5E6725FF354D">bind interfaces
only</string>
+ <string id="POL_3CD2A970_826E_518E_B5F0_5E6725FF354D_Help">This global
parameter allows the Samba admin
+ to limit what interfaces on a machine will serve SMB requests. It
+ affects file service smbd
+ 8 and name service nmbd
+ 8 in a slightly different ways.
+ For name service it causes nmbd to bind to ports 137 and 138 on the
interfaces listed in the parameter. nmbd also binds to the "all
addresses" interface (0.0.0.0) on ports 137 and 138 for the purposes of
reading broadcast messages. If this option is not set then nmbd will service
name requests on all of these sockets. If is set then nmbd will check the
source address of any packets coming in on the broadcast sockets and discard
any that don't match the broadcast addresses of the interfaces in the parameter
list. As unicast packets are received on the other sockets it allows nmbd to
refuse to serve names to machines that send packets that arrive through any
interfaces not listed in the list. IP Source address spoofing does defeat this
simple check, however, so it must not be used seriously as a security feature
for nmbd.
+ For file service it causes smbd 8 to bind only to the interface list given in
the parameter. This restricts the networks that smbd will serve, to packets
coming in on those interfaces. Note that you should not use this parameter for
machines that are serving PPP or other intermittent or non-broadcast network
interfaces as it will not cope with non-permanent interfaces.
+ If is set and the network address 127.0.0.1 is not added to the parameter
list smbpasswd 8 may not work as expected due to the reasons covered below.
+ To change a users SMB password, the smbpasswd by default connects to the
localhost - 127.0.0.1 address as an SMB client to issue the password change
request. If is set then unless the network address 127.0.0.1 is added to the
parameter list then smbpasswd will fail to connect in it's default mode.
smbpasswd can be forced to use the primary IP interface of the local host by
using its smbpasswd 8 -r remote machine parameter, with remote machine set to
the IP name of the primary interface of the local host.</string>
+ <string id="POL_109FA3A4_0F92_5052_A7D9_D4BBCA75F765">config
backend</string>
+ <string id="POL_109FA3A4_0F92_5052_A7D9_D4BBCA75F765_Help">This controls
the backend for storing the configuration. Possible values are file (the
default) and registry. When registry is encountered while loading smb.conf,
the configuration read so far is dropped and the global options are read from
registry instead. So this triggers a registry only configuration. Share
definitions are not read immediately but instead registry shares is set to
yes. Note: This option can not be set inside the registry configuration
itself.
+
+Example: registry</string>
+ <string id="POL_08734B25_7265_5D0B_B857_B2E831B624F1">dos
charset</string>
+ <string id="POL_08734B25_7265_5D0B_B857_B2E831B624F1_Help">DOS SMB
clients assume the server has the same charset as they do. This option
specifies which charset Samba should talk to DOS clients.
+ The default depends on which charsets you have installed. Samba tries to use
charset 850 but falls back to ASCII in case it is not available. Run testparm 1
to check the default on your system.</string>
+ <string id="POL_4CCDFFB7_07DF_58F9_904E_13A024A3F54A">enable core
files</string>
+ <string id="POL_4CCDFFB7_07DF_58F9_904E_13A024A3F54A_Help">This
parameter specifies whether core dumps should be written on internal exits.
Normally set to yes. You should never need to change this.
+
+Example: no</string>
+ <string id="POL_5B751E57_31A9_5EC2_A3CD_A8511D74FCFB">mdns name</string>
+ <string id="POL_5B751E57_31A9_5EC2_A3CD_A8511D74FCFB_Help">This
parameter controls the name that multicast DNS support advertises as its'
hostname.
+ The default is to use the NETBIOS name which is typically the hostname in all
capital letters.
+ A setting of mdns will defer the hostname configuration to the MDNS library
that is used.</string>
+ <string id="POL_461A8AAF_F51E_5FF5_9433_A8D25BBCF783">multicast dns
register</string>
+ <string id="POL_461A8AAF_F51E_5FF5_9433_A8D25BBCF783_Help">If compiled
with proper support for it, Samba will
+ announce itself with multicast DNS services like for example
+ provided by the Avahi daemon.
+ This parameter allows disabling Samba to register itself.</string>
+ <string id="POL_04F98D09_4223_5390_B66F_A6DA05F97FCC">netbios
aliases</string>
+ <string id="POL_04F98D09_4223_5390_B66F_A6DA05F97FCC_Help">This is a
list of NetBIOS names that nmbd will
+ advertise as additional names by which the Samba server is known. This allows
one machine to appear in browse lists under multiple names. If a machine is
acting as a browse server
+ or logon server none of these names will be advertised as either browse
server or logon servers, only the primary name of the machine will be
advertised with these capabilities.
+
+Example: TEST TEST1 TEST2</string>
+ <string id="POL_90CE7832_31B7_51D8_9EF2_92FEF396F49B">netbios
name</string>
+ <string id="POL_90CE7832_31B7_51D8_9EF2_92FEF396F49B_Help">This sets the
NetBIOS name by which a Samba server is known. By default it is the same as the
first component of the host's DNS name. If a machine is a browse server or
logon server this name (or the first component of the hosts DNS name) will be
the name that these services are advertised under.
+ Note that the maximum length for a NetBIOS name is 15 characters.
+ There is a bug in Samba that breaks operation of browsing and access to
shares if the netbios name is set to the literal name PIPE. To avoid this
problem, do not name your Samba server PIPE.
+
+Example: MYNAME</string>
+ <string id="POL_3B93FDE1_6461_572C_AD2E_6AEEAE4EA949">netbios
scope</string>
+ <string id="POL_3B93FDE1_6461_572C_AD2E_6AEEAE4EA949_Help">This sets the
NetBIOS scope that Samba will operate under. This should not be set unless
every machine on your LAN also sets this value.</string>
+ <string id="POL_E633B0BE_9CF3_5D79_A9F1_CB782C82A19C">prefork backoff
increment</string>
+ <string id="POL_E633B0BE_9CF3_5D79_A9F1_CB782C82A19C_Help">This option
specifies the number of seconds added to the delay before a prefork master or
worker process is restarted. The restart is initially zero, the prefork
backoff increment is added to the delay on each restart up to the value
specified by "prefork maximum backoff".
+ Additionally the the backoff for an individual service by using
"prefork backoff increment: service name" i.e. "prefork backoff
increment:ldap = 2" to set the backoff increment to 2.
+ If the backoff increment is 2 and the maximum backoff is 5. There will be a
zero second delay for the first restart. A two second delay for the second
restart. A four second delay for the third and any subsequent restarts</string>
+ <string id="POL_B4E848BD_E606_552C_8C9F_3F8CC1AEF191">prefork
children</string>
+ <string id="POL_B4E848BD_E606_552C_8C9F_3F8CC1AEF191_Help">This option
controls the number of worker processes that are started for each service when
prefork process model is enabled (see samba 8 -M) The prefork children are
only started for those services that support prefork (currently ldap, kdc and
netlogon). For processes that don't support preforking all requests are
handled by a single process for that service.
+ This should be set to a small multiple of the number of CPU's available on
the server
+ Additionally the number of prefork children can be specified for an
individual service by using "prefork children: service name" i.e.
"prefork children:ldap = 8" to set the number of ldap worker
processes.</string>
+ <string id="POL_D721EFAF_A53D_57B7_9639_3859CF9CE31E">prefork maximum
backoff</string>
+ <string id="POL_D721EFAF_A53D_57B7_9639_3859CF9CE31E_Help">This option
controls the maximum delay before a failed pre-fork process is
restarted.</string>
+ <string id="POL_1630255E_61BA_5686_B3E0_995F8C4DAA5E">realm</string>
+ <string id="POL_1630255E_61BA_5686_B3E0_995F8C4DAA5E_Help">This option
specifies the kerberos realm to use. The realm is used as the ADS equivalent of
the NT4 domain. It is usually set to the DNS name of the kerberos server.
+
+Example: mysambabox.mycompany.com</string>
+ <string id="POL_E1D45258_0E70_5AF8_AE28_DAB6B318BB8A">server
services</string>
+ <string id="POL_E1D45258_0E70_5AF8_AE28_DAB6B318BB8A_Help">This option
contains the services that the Samba daemon will run.
+ An entry in the smb.conf file can either override the previous value
completely or entries can be removed from or added to it by prefixing them
with + or -.
+
+Example: -s3fs, +smb</string>
+ <string id="POL_351CFFDA_9DC3_54FB_BE9A_E434F0DB9955">server
string</string>
+ <string id="POL_351CFFDA_9DC3_54FB_BE9A_E434F0DB9955_Help">This controls
what string will show up in the printer comment box in print
+ manager and next to the IPC connection in net view. It
+ can be any string that you wish to show to your users. It also sets what
will appear in browse lists next to the machine name.
+ A %v will be replaced with the Samba version number.
+ A %h will be replaced with the hostname.
+
+Example: University of GNUs Samba Server</string>
+ <string id="POL_32A7428D_00FC_5203_9943_2BDCDC3D9E0D">share
backend</string>
+ <string id="POL_32A7428D_00FC_5203_9943_2BDCDC3D9E0D_Help">This option
specifies the backend that will be used to access the configuration of file
shares.
+ Traditionally, Samba file shares have been configured in the smb.conf file
and this is still the default.
+ At the moment there are no other supported backends.</string>
+ <string id="POL_ABDCEE90_90DE_55C2_A2DC_1C7D017F4B2B">unix
charset</string>
+ <string id="POL_ABDCEE90_90DE_55C2_A2DC_1C7D017F4B2B_Help">Specifies the
charset the unix machine Samba runs on uses. Samba needs to know this in order
to be able to convert text to the charsets other SMB clients use.
+ This is also the charset Samba will use when specifying arguments to scripts
that it invokes.
+
+Example: ASCII</string>
+ <string id="POL_D1FAAF87_1E1E_596F_A915_BE72D67A5DC5">workgroup</string>
+ <string id="POL_D1FAAF87_1E1E_596F_A915_BE72D67A5DC5_Help">This controls
what workgroup your server will appear to be in when queried by clients. Note
that this parameter also controls the Domain name used with the domain setting.
+
+Example: MYGROUP</string>
+ <string id="POL_163183B9_195A_5290_927E_08FBB6C76AA0">interfaces</string>
+ <string id="POL_163183B9_195A_5290_927E_08FBB6C76AA0_Help">This option
allows you to override the default network interfaces list that Samba will use
for browsing, name registration and other NetBIOS over TCP/IP (NBT) traffic. By
default Samba will query the kernel for the list of all active interfaces and
use any interfaces except 127.0.0.1 that are broadcast capable.
+ The option takes a list of interface strings. Each string can be in any of
the following forms:
+ a network interface name (such as eth0). This may include shell-like
wildcards so eth* will match any interface starting with the substring
"eth" an IP address. In this case the netmask is determined from
the list of interfaces obtained from the kernel an IP/mask pair. a
broadcast/mask pair.
+ The "mask" parameters can either be a bit length (such as 24 for a
C class network) or a full netmask in dotted decimal form.
+ The "IP" parameters above can either be a full dotted decimal IP
address or a hostname which will be looked up via the OS's normal hostname
resolution mechanisms.
+ By default Samba enables all active interfaces that are broadcast capable
except the loopback adaptor (IP address 127.0.0.1).
+ In order to support SMB3 multi-channel configurations, smbd understands some
extra parameters which can be appended after the actual interface with this
extended syntax (note that the quoting is important in order to handle the ;
and , characters):
+ "interface[;key1=value1[,key2=value2[...]]]"
+ Known keys are speed, capability, and if_index. Speed is specified in bits
per second. Known capabilities are RSS and RDMA. The if_index should be used
with care: the values must not coincide with indexes used by the kernel. Note
that these options are mainly intended for testing and development rather than
for production use. At least on Linux systems, these values should be
auto-detected, but the settings can serve as last a resort when autodetection
is not working or is not available. The specified values overwrite the
auto-detected values.
+ The first two example below configures three network interfaces corresponding
to the eth0 device and IP addresses 192.168.2.10 and 192.168.3.10. The netmasks
of the latter two interfaces would be set to 255.255.255.0.
+ The other examples show how per interface extra parameters can be specified.
Notice the possible usage of "," and ";", which makes the
double quoting necessary.
+
+Example: eth0 192.168.2.10/24 192.168.3.10/255.255.255.0
+
+Example: eth0, 192.168.2.10/24; 192.168.3.10/255.255.255.0
+
+Example: "eth0;if_index=65,speed=1000000000,capability=RSS"
+
+Example: "lo;speed=1000000000" "eth0;capability=RSS"
+
+Example: "lo;speed=1000000000" , "eth0;capability=RSS"
+
+Example: "eth0;capability=RSS" , "rdma1;capability=RDMA" ;
"rdma2;capability=RSS,capability=RDMA"</string>
+ <string id="POL_25731B61_FC84_5A83_93AE_296F7D6311C4">browse
list</string>
+ <string id="POL_25731B61_FC84_5A83_93AE_296F7D6311C4_Help">This controls
whether smbd 8 will serve a browse list to a client doing a NetServerEnum call.
Normally set to yes. You should never need to change this.</string>
+ <string id="POL_3E9E3188_6F1A_54F8_8E13_265E2AD1BE71">domain
master</string>
+ <string id="POL_3E9E3188_6F1A_54F8_8E13_265E2AD1BE71_Help">Tell smbd 8
to enable WAN-wide browse list collation. Setting this option causes nmbd to
claim a special domain specific NetBIOS name that identifies it as a domain
master browser for its given . Local master browsers in the same on
broadcast-isolated subnets will give this nmbd their local browse lists, and
then ask smbd 8 for a complete copy of the browse list for the whole wide area
network. Browser clients will then contact their local master browser, and will
receive the domain-wide browse list, instead of just the list for their
broadcast-isolated subnet.
+ Note that Windows NT Primary Domain Controllers expect to be able to claim
this specific special NetBIOS name that identifies them as domain master
browsers for that by default (i.e. there is no way to prevent a Windows NT PDC
from attempting to do this). This means that if this parameter is set and nmbd
claims the special name for a before a Windows NT PDC is able to do so then
cross subnet browsing will behave strangely and may fail. If yes, then the
default behavior is to enable the parameter. If is not enabled (the default
setting), then neither will be enabled by default.
+ When Yes the default setting for this parameter is Yes, with the result that
Samba will be a PDC. If No, Samba will function as a BDC. In general, this
parameter should be set to 'No' only on a BDC.</string>
+ <string id="POL_E14519D2_9B84_5A1B_B4A4_89F6151BFCE2">enhanced
browsing</string>
+ <string id="POL_E14519D2_9B84_5A1B_B4A4_89F6151BFCE2_Help">This option
enables a couple of enhancements to cross-subnet browse propagation that have
been added in Samba but which are not standard in Microsoft implementations.
+ The first enhancement to browse propagation consists of a regular wildcard
query to a Samba WINS server for all Domain Master Browsers, followed by a
browse synchronization with each of the returned DMBs. The second enhancement
consists of a regular randomised browse synchronization with all currently
known DMBs.
+ You may wish to disable this option if you have a problem with empty
workgroups not disappearing from browse lists. Due to the restrictions of the
browse protocols, these enhancements can cause a empty workgroup to stay around
forever which can be annoying.
+ In general you should leave this option enabled as it makes cross-subnet
browse propagation much more reliable.</string>
+ <string id="POL_7E8FBFDB_CBDD_5CE7_B101_07AB8AA71209">lm
announce</string>
+ <string id="POL_7E8FBFDB_CBDD_5CE7_B101_07AB8AA71209_Help">This
parameter determines if nmbd 8 will produce Lanman announce broadcasts that are
needed by OS/2 clients in order for them to see the Samba server in their
browse list. This parameter can have three values, yes, no, or auto. The
default is auto. If set to no Samba will never produce these broadcasts. If set
to yes Samba will produce Lanman announce broadcasts at a frequency set by the
parameter . If set to auto Samba will not send Lanman announce broadcasts by
default but will listen for them. If it hears such a broadcast on the wire it
will then start sending them at a frequency set by the parameter .
+
+Example: yes</string>
+ <string id="POL_6D665B21_1F08_5183_B9CD_CFD712C1D4AB">lm
interval</string>
+ <string id="POL_6D665B21_1F08_5183_B9CD_CFD712C1D4AB_Help">If Samba is
set to produce Lanman announce broadcasts needed by OS/2 clients (see the
parameter) then this parameter defines the frequency in seconds with which they
will be made. If this is set to zero then no Lanman announcements will be made
despite the setting of the parameter.
+
+Example: 120</string>
+ <string id="POL_40EA4C73_20A7_580A_A830_0EDA7FC72B7D">local
master</string>
+ <string id="POL_40EA4C73_20A7_580A_A830_0EDA7FC72B7D_Help">This option
allows nmbd 8 to try and become a local master browser on a subnet. If set to
no then nmbd will not attempt to become a local master browser on a subnet and
will also lose in all browsing elections. By default this value is set to yes.
Setting this value to yes doesn't mean that Samba will become the local master
browser on a subnet, just that nmbd will participate in elections for local
master browser.
+ Setting this value to no will cause nmbd never to become a local
+master browser.</string>
+ <string id="POL_95C311BC_3067_5654_A978_70326D928F48">os level</string>
+ <string id="POL_95C311BC_3067_5654_A978_70326D928F48_Help">This integer
value controls what level Samba advertises itself as for browse elections. The
value of this parameter determines whether nmbd 8 has a chance of becoming a
local master browser for the in the local broadcast area.
+ Note: By default, Samba will win a local master browsing election over all
Microsoft operating systems except a Windows NT 4.0/2000 Domain Controller.
This means that a misconfigured Samba host can effectively isolate a subnet for
browsing purposes. This parameter is largely auto-configured in the Samba-3
release series and it is seldom necessary to manually override the default
setting. Please refer to the chapter on Network Browsing in the Samba-3 HOWTO
document for further information regarding the use of this parameter. Note: The
maximum value for this parameter is 255. If you use higher values, counting
will start at 0!
+
+Example: 65</string>
+ <string id="POL_516D10CE_AECD_50DE_B4F5_D9DBF85FA582">preferred
master</string>
+ <string id="POL_516D10CE_AECD_50DE_B4F5_D9DBF85FA582_Help">This boolean
parameter controls if nmbd 8 is a preferred master browser for its workgroup.
+ If this is set to yes, on startup, nmbd will force an election, and it will
have a slight advantage in winning the election. It is recommended that this
parameter is used in conjunction with yes, so that nmbd can guarantee becoming
a domain master.
+ Use this option with caution, because if there are several hosts (whether
Samba servers, Windows 95 or NT) that are preferred master browsers on the same
subnet, they will each periodically and continuously attempt to become the
local master browser. This will result in unnecessary broadcast traffic and
reduced browsing capabilities.</string>
+ <string id="POL_E468B4EF_D43C_572D_9A57_390D5D22F485">allow dns
updates</string>
+ <string id="POL_E468B4EF_D43C_572D_9A57_390D5D22F485_Help">This option
determines what kind of updates to the DNS are allowed.
+ DNS updates can either be disallowed completely by setting it to disabled,
enabled over secure connections only by setting it to secure only or allowed
in all cases by setting it to nonsecure.
+
+Example: disabled</string>
+ <string id="POL_7E805DF0_F3AD_55F6_AC1E_B13987AE73FC">dns
forwarder</string>
+ <string id="POL_7E805DF0_F3AD_55F6_AC1E_B13987AE73FC_Help">This option
specifies the list of DNS servers that DNS requests will be forwarded to if
they can not be handled by Samba itself.
+ The DNS forwarder is only used if the internal DNS server in Samba is used.
+
+Example: 192.168.0.1 192.168.0.2</string>
+ <string id="POL_DE5786B0_C694_53AA_85F2_F9B4EB2F9923">dns update
command</string>
+ <string id="POL_DE5786B0_C694_53AA_85F2_F9B4EB2F9923_Help">This option
sets the command that is called when there are DNS updates. It should update
the local machines DNS names using TSIG-GSS.
+
+Example: /usr/local/sbin/dnsupdate</string>
+ <string id="POL_C5C16F87_0017_5CC1_810B_398855115BC9">dns zone
scavenging</string>
+ <string id="POL_C5C16F87_0017_5CC1_810B_398855115BC9_Help">When enabled
(the default is disabled) unused dynamic dns records are periodically removed.
This option should not be enabled for installations created with versions of
samba before 4.9. Doing this will result in the loss of static DNS entries.
This is due to a bug in previous versions of samba (BUG 12451) which marked
dynamic DNS records as static and static records as dynamic. If one record for
a DNS name is static (non-aging) then no other record for that DNS name will be
scavenged.</string>
+ <string id="POL_23A4E426_BE59_5616_849E_94C825DDFC5B">gpo update
command</string>
+ <string id="POL_23A4E426_BE59_5616_849E_94C825DDFC5B_Help">This option
sets the command that is called to apply GPO policies.
+ The samba-gpupdate script applies System Access and Kerberos Policies to the
KDC. System Access policies set minPwdAge, maxPwdAge, minPwdLength, and
pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime,
kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf.
+
+Example: /usr/local/sbin/gpoupdate</string>
+ <string id="POL_D32F3D0B_74B1_5C8F_81B4_CC9574EAB9B7">machine password
timeout</string>
+ <string id="POL_D32F3D0B_74B1_5C8F_81B4_CC9574EAB9B7_Help">If a Samba
server is a member of a Windows NT or Active Directory Domain (see the domain
and ads parameters), then periodically a running winbindd process will try and
change the MACHINE ACCOUNT PASSWORD stored in the TDB called secrets.tdb . This
parameter specifies how often this password will be changed, in seconds. The
default is one week (expressed in seconds), the same as a Windows NT Domain
member server.
+ See also smbpasswd 8, and the domain and ads parameters.</string>
+ <string id="POL_07339CF8_68F5_5B5F_9207_93D2E4526C44">nsupdate
command</string>
+ <string id="POL_07339CF8_68F5_5B5F_9207_93D2E4526C44_Help">This option
sets the path to the nsupdate command which is used for GSS-TSIG dynamic DNS
updates.</string>
+ <string id="POL_D0F6F805_6160_55CF_9B8B_F5AD874B1E2C">spn update
command</string>
+ <string id="POL_D0F6F805_6160_55CF_9B8B_F5AD874B1E2C_Help">This option
sets the command that for updating servicePrincipalName names from
spn_update_list.
+
+Example: /usr/local/sbin/spnupdate</string>
+ <string id="POL_6FFBB02C_6B3E_5D0E_9193_15F9B38E487D">mangle
prefix</string>
+ <string id="POL_6FFBB02C_6B3E_5D0E_9193_15F9B38E487D_Help">controls the
number of prefix characters from the original name used when generating the
mangled names. A larger value will give a weaker hash and therefore more name
collisions. The minimum value is 1 and the maximum value is 6.
+ mangle prefix is effective only when mangling method is hash2.
+
+Example: 4</string>
+ <string id="POL_BE8F8AE7_99AC_582E_8105_00326D511339">mangling
method</string>
+ <string id="POL_BE8F8AE7_99AC_582E_8105_00326D511339_Help">controls the
algorithm used for the generating the mangled names. Can take two different
values, "hash" and "hash2". "hash" is the
algorithm that was used in Samba for many years and was the default in Samba
2.2.x "hash2" is
+ now the default and is newer and considered a better algorithm (generates
less collisions) in
+ the names. Many Win32 applications store the mangled names and so changing to
algorithms must not be done lightly as these applications
+ may break unless reinstalled.
+
+Example: hash</string>
+ <string id="POL_62095050_5FA9_5E4F_8792_595D30BEF047">max stat cache
size</string>
+ <string id="POL_62095050_5FA9_5E4F_8792_595D30BEF047_Help">This
parameter limits the size in memory of any stat cache being used to speed up
case insensitive name mappings. It represents the number of kilobyte (1024)
units the stat cache can use. A value of zero, meaning unlimited, is not
advisable due to increased memory usage. You should not need to change this
parameter.
+
+Example: 100</string>
+ <string id="POL_63F6A053_E2E9_57D0_A0F8_003024AD6470">stat cache</string>
+ <string id="POL_63F6A053_E2E9_57D0_A0F8_003024AD6470_Help">This
parameter determines if smbd 8 will use a cache in order to speed up case
insensitive name mappings. You should never need to change this
parameter.</string>
+ <string id="POL_FBDCB316_EDD2_526C_AE9F_32F50A97A72F">client ldap sasl
wrapping</string>
+ <string id="POL_FBDCB316_EDD2_526C_AE9F_32F50A97A72F_Help">The defines
whether ldap traffic will be signed or signed and encrypted (sealed). Possible
values are plain, sign and seal.
+ The values sign and seal are only available if Samba has been compiled
against a modern OpenLDAP version (2.3.x or higher). This option is needed in
the case of Domain Controllers enforcing the usage of signed LDAP connections
(e.g. Windows 2000 SP3 or higher). LDAP sign and seal can be controlled with
the registry key "HKLM\System\CurrentControlSet\Services\
NTDS\Parameters\LDAPServerIntegrity" on the Windows server side.
+ Depending on the used KRB5 library (MIT and older Heimdal versions) it is
possible that the message "integrity only" is not supported. In this
case, sign is just an alias for seal.
+ The default value is sign. That implies synchronizing the time with the KDC
in the case of using Kerberos.</string>
+ <string id="POL_712CFB73_7887_55DD_975B_48DEDBDB9441">ldap admin
dn</string>
+ <string id="POL_712CFB73_7887_55DD_975B_48DEDBDB9441_Help">The defines
the Distinguished Name (DN) name used by Samba to contact the ldap server when
retrieving user account information. The is used in conjunction with the admin
dn password stored in the private/secrets.tdb file. See the smbpasswd 8 man
page for more information on how to accomplish this.
+ The requires a fully specified DN. The is not appended to the .</string>
+ <string id="POL_CEAB52CA_95EB_5DE5_863B_2399BEF5C727">ldap connection
timeout</string>
+ <string id="POL_CEAB52CA_95EB_5DE5_863B_2399BEF5C727_Help">This
parameter tells the LDAP library calls which timeout in seconds they should
honor during initial connection establishments to LDAP servers. It is very
useful in failover scenarios in particular. If one or more LDAP servers are not
reachable at all, we do not have to wait until TCP timeouts are over. This
feature must be supported by your LDAP library.
+ This parameter is different from which affects operations on LDAP servers
using an existing connection and not establishing an initial
connection.</string>
+ <string id="POL_4750A945_176C_5FFF_AB50_DF2BE31C3FBB">ldap delete
dn</string>
+ <string id="POL_4750A945_176C_5FFF_AB50_DF2BE31C3FBB_Help">This
parameter specifies whether a delete operation in the ldapsam deletes the
complete entry or only the attributes specific to Samba.</string>
+ <string id="POL_27BBF4DB_E2AE_58D3_8018_E83C4B185A3C">ldap deref</string>
+ <string id="POL_27BBF4DB_E2AE_58D3_8018_E83C4B185A3C_Help">This option
controls whether Samba should tell the LDAP library to use a certain alias
dereferencing method. The default is auto, which means that the default setting
of the ldap client library will be kept. Other possible values are never,
finding, searching and always. Grab your LDAP manual for more information.
+
+Example: searching</string>
+ <string id="POL_B383A7ED_F6A4_5BD3_B85E_E6B6527D8D79">ldap follow
referral</string>
+ <string id="POL_B383A7ED_F6A4_5BD3_B85E_E6B6527D8D79_Help">This option
controls whether to follow LDAP referrals or not when searching for entries in
the LDAP database. Possible values are on to enable following referrals, off to
disable this, and auto, to use the libldap default settings. libldap's choice
of following referrals or not is set in /etc/openldap/ldap.conf with the
REFERRALS parameter as documented in ldap.conf(5).
+
+Example: off</string>
+ <string id="POL_E31CD0A8_5A4A_5657_8ACA_123A200C6E06">ldap group
suffix</string>
+ <string id="POL_E31CD0A8_5A4A_5657_8ACA_123A200C6E06_Help">This
parameter specifies the suffix that is used for groups when these are added to
the LDAP directory. If this parameter is unset, the value of will be used
instead. The suffix string is pre-pended to the
+ string so use a partial DN.
+
+Example: ou=Groups</string>
+ <string id="POL_FC4495FC_4C6E_50C8_9B37_08D9955A883B">ldap idmap
suffix</string>
+ <string id="POL_FC4495FC_4C6E_50C8_9B37_08D9955A883B_Help">This
parameters specifies the suffix that is used when storing idmap mappings. If
this parameter is unset, the value of will be used instead. The suffix string
is pre-pended to the string so use a partial DN.
+
+Example: ou=Idmap</string>
+ <string id="POL_2ED1402F_4CF6_5CED_BE40_9B112E1238DC">ldap machine
suffix</string>
+ <string id="POL_2ED1402F_4CF6_5CED_BE40_9B112E1238DC_Help">It specifies
where machines should be added to the ldap tree. If this parameter is unset,
the value of will be used instead. The suffix string is pre-pended to the
string so use a partial DN.
+
+Example: ou=Computers</string>
+ <string id="POL_12C5B04D_D734_576A_99F1_7475BC9E90D7">ldap page
size</string>
+ <string id="POL_12C5B04D_D734_576A_99F1_7475BC9E90D7_Help">This
parameter specifies the number of entries per page.
+ If the LDAP server supports paged results, clients can request subsets of
search results (pages) instead of the entire list. This parameter specifies the
size of these pages.
+
+Example: 512</string>
+ <string id="POL_DB427B53_CF02_5410_AE37_5BD4E8B968CE">ldap passwd
sync</string>
+ <string id="POL_DB427B53_CF02_5410_AE37_5BD4E8B968CE_Help">This option
is used to define whether or not Samba should sync the LDAP password with the
NT and LM hashes for normal accounts (NOT for workstation, server or domain
trusts) on a password change via SAMBA.
+ The can be set to one of three values: Yes = Try to update the LDAP, NT
and LM passwords and update the pwdLastSet time. No = Update NT and
LM passwords and update the pwdLastSet time.
+ Only = Only update the LDAP password and let the LDAP server do the
rest.</string>
+ <string id="POL_0C51A40C_E06E_5A0A_B160_5EB21289B17D">ldap replication
sleep</string>
+ <string id="POL_0C51A40C_E06E_5A0A_B160_5EB21289B17D_Help">When Samba is
asked to write to a read-only LDAP replica, we are redirected to talk to the
read-write master server. This server then replicates our changes back to the
'local' server, however the replication might take some seconds, especially
over slow links. Certain client activities, particularly domain joins, can
become confused by the 'success' that does not immediately change the LDAP
back-end's data.
+ This option simply causes Samba to wait a short time, to allow the LDAP
server to catch up. If you have a particularly high-latency network, you may
wish to time the LDAP replication with a network sniffer, and increase this
value accordingly. Be aware that no checking is performed that the data has
actually replicated.
+ The value is specified in milliseconds, the maximum value is 5000 (5
seconds).</string>
+ <string
id="POL_763BAFE2_3FE0_5C25_B3DC_34AE48F2F569">ldapsam:editposix</string>
+ <string id="POL_763BAFE2_3FE0_5C25_B3DC_34AE48F2F569_Help">Editposix is
an option that leverages ldapsam:trusted to make it simpler to manage a domain
controller eliminating the need to set up custom scripts to add and manage the
posix users and groups. This option will instead directly manipulate the ldap
tree to create, remove and modify user and group entries. This option also
requires a running winbindd as it is used to allocate new uids/gids on
user/group creation. The allocation range must be therefore configured.
+ To use this option, a basic ldap tree must be provided and the ldap suffix
parameters must be properly configured. On virgin servers the default users and
groups (Administrator, Guest, Domain Users, Domain Admins, Domain Guests) can
be precreated with the command net sam provision. To run this command the ldap
server must be running, Winbindd must be running and the smb.conf ldap options
must be properly configured.
+ The typical ldap setup used with the yes option is usually sufficient to use
yes as well.
+ An example configuration can be the following:
+ encrypt passwords = true passdb backend = ldapsam
+ ldapsam:trusted=yes ldapsam:editposix=yes
+ ldap admin dn = cn=admin,dc=samba,dc=org ldap delete dn = yes ldap group
suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix =
ou=computers ldap user suffix = ou=users ldap suffix = dc=samba,dc=org
+ idmap backend = ldap:"ldap://localhost"
+ idmap uid = 5000-50000 idmap gid = 5000-50000
+ This configuration assumes a directory layout like described in the following
ldif:
+ dn: dc=samba,dc=org objectClass: top objectClass: dcObject objectClass:
organization o: samba.org dc: samba
+ dn: cn=admin,dc=samba,dc=org objectClass: simpleSecurityObject objectClass:
organizationalRole cn: admin description: LDAP administrator userPassword:
secret
+ dn: ou=users,dc=samba,dc=org objectClass: top objectClass: organizationalUnit
ou: users
+ dn: ou=groups,dc=samba,dc=org objectClass: top objectClass:
organizationalUnit ou: groups
+ dn: ou=idmap,dc=samba,dc=org objectClass: top objectClass: organizationalUnit
ou: idmap
+ dn: ou=computers,dc=samba,dc=org objectClass: top objectClass:
organizationalUnit ou: computers</string>
+ <string
id="POL_F7979912_0010_5656_BC3A_08876A56418C">ldapsam:trusted</string>
+ <string id="POL_F7979912_0010_5656_BC3A_08876A56418C_Help">By default,
Samba as a Domain Controller with an LDAP backend needs to use the Unix-style
NSS subsystem to access user and group information. Due to the way Unix stores
user information in /etc/passwd and /etc/group this inevitably leads to
inefficiencies. One important question a user needs to know is the list of
groups he is member of. The plain UNIX model involves a complete enumeration of
the file /etc/group and its NSS counterparts in LDAP. UNIX has optimized
functions to enumerate group membership. Sadly, other functions that are used
to deal with user and group attributes lack such optimization.
+ To make Samba scale well in large environments, the yes option assumes that
the complete user and group database that is relevant to Samba is stored in
LDAP with the standard posixAccount/posixGroup attributes. It further assumes
that the Samba auxiliary object classes are stored together with the POSIX data
in the same LDAP object. If these assumptions are met, yes can be activated and
Samba can bypass the NSS system to query user group memberships. Optimized LDAP
queries can greatly speed up domain logon and administration tasks. Depending
on the size of the LDAP database a factor of 100 or more for common queries is
easily achieved.</string>
+ <string id="POL_04D79AF3_042D_5ABC_BE8F_4C6628E0F703">ldap server
require strong auth</string>
+ <string id="POL_04D79AF3_042D_5ABC_BE8F_4C6628E0F703_Help">The defines
whether the ldap server requires ldap traffic to be signed or signed and
encrypted (sealed). Possible values are no, allow_sasl_over_tls and yes.
+ A value of no allows simple and sasl binds over all transports.
+ A value of allow_sasl_over_tls allows simple and sasl binds (without sign or
seal) over TLS encrypted connections. Unencrypted connections only allow sasl
binds with sign or seal.
+ A value of yes allows only simple binds over TLS encrypted connections.
Unencrypted connections only allow sasl binds with sign or seal.</string>
+ <string id="POL_5B8B9520_4858_5C2F_AA85_F972FF86784A">ldap ssl</string>
+ <string id="POL_5B8B9520_4858_5C2F_AA85_F972FF86784A_Help">This option
is used to define whether or not Samba should use SSL when connecting to the
ldap server This is NOT related to Samba's previous SSL support which was
enabled by specifying the --with-ssl option to the configure script.
+ LDAP connections should be secured where possible. This may be done setting
either this parameter to start tls or by specifying ldaps:// in
+ the URL argument of .
+ The can be set to one of two values: Off = Never use SSL when querying
the directory.
+ start tls = Use the LDAPv3 StartTLS extended operation (RFC2830) for
communicating with the directory server. Please note that this parameter does
only affect rpc methods. To enable the LDAPv3 StartTLS extended operation
(RFC2830) for ads, set start tls and yes. See smb.conf5 for more information on
.</string>
+ <string id="POL_42494B88_7254_5F5F_B738_D5D10BCFBC6C">ldap ssl
ads</string>
+ <string id="POL_42494B88_7254_5F5F_B738_D5D10BCFBC6C_Help">This option
is used to define whether or not Samba should use SSL when connecting to the
ldap server using ads methods. Rpc methods are not affected by this parameter.
Please note, that this parameter won't have any effect if is set to no.
+ See smb.conf5 for more information on .</string>
+ <string id="POL_9B071174_FBD3_5CA8_82AA_3BD1EB7BCF45">ldap
suffix</string>
+ <string id="POL_9B071174_FBD3_5CA8_82AA_3BD1EB7BCF45_Help">Specifies the
base for all ldap suffixes and for storing the sambaDomain object.
+ The ldap suffix will be appended to the values specified for the , , , and
the . Each of these should be given only a DN relative to the .
+
+Example: dc=samba,dc=org</string>
+ <string id="POL_40F4D046_B9E1_53B0_9DC9_1AE4DE9B1976">ldap
timeout</string>
+ <string id="POL_40F4D046_B9E1_53B0_9DC9_1AE4DE9B1976_Help">This
parameter defines the number of seconds that Samba should use as timeout for
LDAP operations.</string>
+ <string id="POL_26984E46_7C64_57A4_B4BF_C2C2B13C330E">ldap user
suffix</string>
+ <string id="POL_26984E46_7C64_57A4_B4BF_C2C2B13C330E_Help">This
parameter specifies where users are added to the tree. If this parameter is
unset, the value of will be used instead. The suffix string is pre-pended to
the string so use a partial DN.
+
+Example: ou=people</string>
+ <string id="POL_AB95F2C5_BFBC_5955_8062_8B446AF7E84C">ldap max anonymous
request size</string>
+ <string id="POL_AB95F2C5_BFBC_5955_8062_8B446AF7E84C_Help">This
parameter specifies the maximum permitted size (in bytes) for an LDAP request
received on an anonymous connection.
+ If the request size exceeds this limit the request will be rejected.
+
+Example: 500000</string>
+ <string id="POL_23FFECD5_A3C4_566C_AEB3_015F25B1A978">ldap max
authenticated request size</string>
+ <string id="POL_23FFECD5_A3C4_566C_AEB3_015F25B1A978_Help">This
parameter specifies the maximum permitted size (in bytes) for an LDAP request
received on an authenticated connection.
+ If the request size exceeds this limit the request will be rejected.
+
+Example: 4194304</string>
+ <string id="POL_F7C651B1_70B4_5047_BC65_2E4D382CBD15">ldap max search
request size</string>
+ <string id="POL_F7C651B1_70B4_5047_BC65_2E4D382CBD15_Help">This
parameter specifies the maximum permitted size (in bytes) for an LDAP search
request.
+ If the request size exceeds this limit the request will be rejected.
+
+Example: 4194304</string>
+ <string id="POL_B3B2B9CC_3DBC_5C45_AA31_7C1E52AFEFAF">lock spin
time</string>
+ <string id="POL_B3B2B9CC_3DBC_5C45_AA31_7C1E52AFEFAF_Help">The time in
milliseconds that smbd should keep waiting to see if a failed lock request can
be granted. This parameter has changed in default value from Samba 3.0.23 from
10 to 200. The associated parameter is no longer used in Samba 3.0.24. You
should not need to change the value of this parameter.</string>
+ <string id="POL_4A0366F2_6815_5654_8DC2_F68E840E53F4">oplock break wait
time</string>
+ <string id="POL_4A0366F2_6815_5654_8DC2_F68E840E53F4_Help">This is a
tuning parameter added due to bugs in both Windows 9x and WinNT. If Samba
responds to a client too quickly when that client issues an SMB that can cause
an oplock break request, then the network client can fail and not respond to
the break request. This tuning parameter (which is set in milliseconds) is the
amount of time Samba will wait before sending an oplock break request to such
(broken) clients.
+ DO NOT CHANGE THIS PARAMETER UNLESS YOU HAVE READ AND UNDERSTOOD THE SAMBA
OPLOCK CODE.</string>
+ <string id="POL_B49FAE41_B4C1_5AFA_870E_9E1C35F9A96F">smb2
leases</string>
+ <string id="POL_B49FAE41_B4C1_5AFA_870E_9E1C35F9A96F_Help">This boolean
option tells smbd whether to globally negotiate SMB2 leases on file open
requests. Leasing is an SMB2-only feature which allows clients to aggressively
cache files locally above and beyond the caching allowed by SMB1 oplocks.
+ This is only available with yes and no.
+ Note that the write cache won't be used for file handles with a smb2 write
lease.</string>
+ <string id="POL_1E9B5BE6_8C81_5141_88CD_B5AC0E8D964B">debug
class</string>
+ <string id="POL_1E9B5BE6_8C81_5141_88CD_B5AC0E8D964B_Help">With this
boolean parameter enabled, the debug class (DBGC_CLASS)
+ will be displayed in the debug header.
+
+
+ For more information about currently available debug classes, see
+ section about .</string>
+ <string id="POL_07D2E039_C5A0_5123_BD71_0C74E2569310">debug hires
timestamp</string>
+ <string id="POL_07D2E039_C5A0_5123_BD71_0C74E2569310_Help">Sometimes the
timestamps in the log messages are needed with a resolution of higher that
seconds, this
+ boolean parameter adds microsecond resolution to the timestamp message header
when turned on.
+
+
+
+ Note that the parameter must be on for this to have an effect.</string>
+ <string id="POL_E066DF4A_5BA1_5B35_A96F_90DE6CF27132">debug pid</string>
+ <string id="POL_E066DF4A_5BA1_5B35_A96F_90DE6CF27132_Help">When using
only one log file for more then one forked smbd
+ 8-process there may be hard to follow which process outputs which
+ message. This boolean parameter is adds the process-id to the timestamp
message headers in the
+ logfile when turned on.
+
+
+
+ Note that the parameter must be on for this to have an effect.</string>
+ <string id="POL_4B4EF8B5_3526_5583_8174_E3E332727970">debug prefix
timestamp</string>
+ <string id="POL_4B4EF8B5_3526_5583_8174_E3E332727970_Help">With this
option enabled, the timestamp message header is prefixed to the debug message
without the
+ filename and function information that is included with the
+ parameter. This gives timestamps to the messages without adding an additional
line.
+
+
+
+ Note that this parameter overrides the parameter.</string>
+ <string id="POL_571A8B87_3CCC_5725_BA33_BDEE367BB740">debug uid</string>
+ <string id="POL_571A8B87_3CCC_5725_BA33_BDEE367BB740_Help">Samba is
sometimes run as root and sometime run as the connected user, this boolean
parameter inserts the
+ current euid, egid, uid and gid to the timestamp message headers in the log
file if turned on.
+
+
+ Note that the parameter must be on for this to have an effect.</string>
+ <string id="POL_2167CEE9_B2C9_5574_8F7D_F38DA9EBBFF1">ldap debug
level</string>
+ <string id="POL_2167CEE9_B2C9_5574_8F7D_F38DA9EBBFF1_Help">This
parameter controls the debug level of the LDAP library calls. In the case of
OpenLDAP, it is the same bit-field as understood by the server and documented
in the slapd.conf 5 manpage. A typical useful value will be 1 for
tracing function calls. The debug output from the LDAP libraries appears with
the prefix [LDAP] in Samba's logging output. The level at which LDAP logging
is printed is controlled by the parameter ldap debug threshold.
+
+Example: 1</string>
+ <string id="POL_F324946B_9B0D_53F0_AD4F_56800DD63085">ldap debug
threshold</string>
+ <string id="POL_F324946B_9B0D_53F0_AD4F_56800DD63085_Help">This
parameter controls the Samba debug level at which the ldap library debug
output is printed in the Samba logs. See the description of ldap debug level
for details.
+
+Example: 5</string>
+ <string id="POL_3A601C55_A5EB_5E86_817B_38DACFD45CF9">log file</string>
+ <string id="POL_3A601C55_A5EB_5E86_817B_38DACFD45CF9_Help">This option
allows you to override the name of the Samba log file (also known as the debug
file).
+
+
+
+ This option takes the standard substitutions, allowing you to have separate
log files for each user or machine.
+
+Example: /usr/local/samba/var/log.%m</string>
+ <string id="POL_A3E0303F_93B5_5C1F_8C01_362881F843CC">logging</string>
+ <string id="POL_A3E0303F_93B5_5C1F_8C01_362881F843CC_Help">This
parameter configures logging backends. Multiple
+ backends can be specified at the same time, with different log
+ levels for each backend. The parameter is a list of backends,
+ where each backend is specified as backend[:option][@loglevel].
+
+ The 'option' parameter can be used to pass backend-specific
+ options.
+
+ The log level for a backend is optional, if it is not set for
+ a backend, all messages are sent to this backend. The parameter
+ determines overall log levels,
+ while the log levels specified here define what is sent to the
+ individual backends.
+
+ When is set, it overrides the
+ and parameters.
+
+ Some backends are only available when Samba has been compiled
+ with the additional libraries. The overall list of logging backends:
+
+
+ syslog
+ file
+ systemd
+ lttng
+ gpfs
+ ringbuf
+
+
+ The ringbuf backend supports an
+ optional size argument to change the buffer size used, the default is 1 MB:
+ ringbuf:size=NBYTES
+
+Example: syslog@1 file</string>
+ <string id="POL_E077BD91_3587_5DBA_A7CB_13044D97E451">log level</string>
+ <string id="POL_E077BD91_3587_5DBA_A7CB_13044D97E451_Help">The value of
the parameter (a string) allows the debug level (logging level) to be specified
in the
+ smb.conf file.
+
+
+ This parameter has been extended since the 2.2.x
+ series, now it allows one to specify the debug level for multiple
+ debug classes and distinct logfiles for debug classes. This is to give
+ greater flexibility in the configuration of the system. The following
+ debug classes are currently implemented:
+
+
+ all tdb printdrivers lanman smb smb2 smb2_credits rpc_parse rpc_srv rpc_cli
passdb sam auth winbind vfs idmap quota acls locking msdfs dmapi registry
+ scavenger
+ dns
+ ldb
+ tevent
+ auth_audit
+ auth_json_audit
+ kerberos
+ dsdb_audit
+ dsdb_json_audit
+ dsdb_password_audit
+ dsdb_password_json_audit
+ dsdb_transaction_audit
+ dsdb_transaction_json_audit
+
+
+ To configure the logging for specific classes to go into a different
+ file then , you can append
+ @PATH to the class, eg log level = 1
+ full_audit:1@/var/log/audit.log.
+
+ Authentication and authorization audit information is logged
+ under the auth_audit, and if Samba was not compiled with
+ --without-json, a JSON representation is logged under
+ auth_json_audit.
+
+ Support is comprehensive for all authentication and authorisation
+ of user accounts in the Samba Active Directory Domain Controller,
+ as well as the implicit authentication in password changes. In
+ the file server, NTLM authentication, SMB and RPC authorization is
+ covered.
+
+ Log levels for auth_audit and auth_audit_json are:
+ 2: Authentication Failure 3: Authentication Success 4: Authorization Success
5: Anonymous Authentication and Authorization Success
+
+
+ Changes to the sam.ldb database are logged
+ under the dsdb_audit and a JSON representation is logged under
+ dsdb_json_audit.
+
+ Password changes and Password resets are logged under
+ dsdb_password_audit and a JSON representation is logged under the
+ dsdb_password_json_audit.
+
+ Transaction rollbacks and prepare commit failures are logged under
--
Samba Shared Repository
